Microsoft woos customers to the cloud with a slew of new networking, security, storage, DR, management, and orchestration capabilities

Microsoft's Azure cloud started slow. It was announced in October 2008 and launched in 2009, but its appeal was limited by focus on cloud services rather than familiar Windows infrastructure, combined with awkward management tools. In 2012 Azure improved, adding a true IaaS solution based on persistent virtual machines and a user-friendly Web management portal. Then in April 2013, IaaS features including the new VM and virtual network features moved from preview to general availability.

Azure is now growing fast, and since the TechEd conference in April 2014 has added numerous new features intended to let Microsoft shops easily migrate all or part of their server infrastructure and applications to Microsoft's cloud.

First you create a new storage account, with options for regional or geo-redundant replication, then you create a file share using PowerShell scripts or .Net code. Access is protected using a long storage key generated by Azure. You can access the shared folder from an Azure VM using that key, just as you would on any Windows network, including the ability to map a drive letter with Net Use. The same files are also accessible over the Internet using PowerShell or REST APIs. Typical uses include migrating on-premise applications that use shared folders and storing files for a website served from multiple VMs.

In October 2013, Microsoft announced Hyper-V Recovery Manager, a service that enabled Azure to orchestrate site-to-site replication and recovery in event of disaster. Though it makes sense to have third-site manage recovery if your primary site fails, the customer still needed to have servers in two data centers for Hyper-V Recovery Manager to work, limiting it to the large businesses.

The service is now renamed Azure Site Recovery and lets you replicate and recover to VMs hosted on Azure itself, extending its value to businesses of almost any size. Site recovery is based on Hyper-V Replica, which keeps VMs synchronized with only a small delay. The on-premise side is configured with System Center Virtual Machine Manager.

Azure ExpressRoute lets you connect your data center with Azure via a private link that does not travel over the Internet. The advantage is security, lower latency, and higher reliability. Bandwidth is up to 1Gbps, or up to 10Gbps if you connect directly through an exchange provider (Equinix or Level 3).

At TechEd Microsoft announced general availability of the service, including an enterprise SLA (Service Level Agreement). Providers include AT&T, Equinix, Verizon, BT, Level 3, TelecityGroup, SingTel, and Zadara. In order to take advantage, you need an existing VPN or Ethernet connection to your exchange provider or to have servers co-located in the exchange provider's data center.

Microsoft has developed new extensions for Azure VMs. These include support for Puppet and Chef, which lets you configure VMs with agents to manage their configurations, and security extensions that let you install antimalware protection, using services from Symantec, Trend Micro, or Microsoft itself. The third-party security services are installed on a trial basis, and you need to purchase a license from the vendor to continue.

Microsoft's Antimalware is free while in preview. The details regarding what is protected depend on the product you choose. Microsoft Antimalware can also be enabled on other cloud services, such as Web Roles and Worker Roles.

Microsoft previewed a new Azure portal at the Build conference in early April. It is incomplete, and for many operations you need to click the link to the old portal, but it adds key features. There are new tools to monitor and analyze Azure Web Sites, for example, and to set up Web tests and get alerts if a site goes down. There are also devops features (bringing together development and operations), including integration with Visual Studio Online, which provides project management and source control for teams.

There is more attention paid to applications in the new portal, whereas the existing portal is focused on individual services. The new portal will also scale better as Azure adds new features.

Azure has impressive networking capabilities, but with some frustrations. These are lessened following several key announcements. One is support for multiple site-to-site connections to virtual networks, essential for organizations with several sites; another is the ability to connect virtual networks to each other, such as across different Azure regions.

Another important new feature is reserving public IP numbers. Previously, you couldn't control the public IP generated for a new service. You can also now assign public IPs directly to VMs, bypassing Azure's endpoint control. If you do this, you take responsibility for firewall protection on the machine, though Microsoft says this may change in the future.

Azure Active Directory (AD) is a key part of both Azure and Office 365, which uses the same directory. The directory service is free, but a premium version, now in general availability, adds multifactor authentication, security reports showing suspicious access, self-service password reset, and group-based application access. Azure AD can be integrated with on-premise AD, enabling single sign-on and simplifying user management.

More significant, Microsoft says Azure AD now supports 1,200 third-party SaaS apps, including Salesforce.com, Box, Citrix GoToMeeting, and even Google Apps. Azure AD Premium is also part of the Enterprise Mobility Suite announced in March, along with InTune for mobile device management and Azure Rights Management for protecting sensitive documents.

Another new service now in preview is Cloud App Discovery. This is not yet integrated into the Azure portal, but will be in due course. In the meantime, it's available on Azure's site.

The idea is to discover which cloud apps are in use within an organization. Microsoft's hope is that businesses will choose to integrate these apps with Azure Active Directory for easier management and control. Cloud App Discovery requires an agent running on client machines, which monitors app usage and sends the information to the service. You can see which apps are most used, categorized by type (such as Travel, CRM, and Social). The risk is that employees may feel this is snooping, but the data has obvious business value.

Microsoft doesn't offer VDI (Virtual Desktop Infrastructure) on Azure, and in fact does not allow Windows 7 or Windows 8 desktops to be hosted in any cloud. (See next slide for the lone exception.) But now in preview is Azure RemoteApp, which lets you host Windows applications in Azure and serve them, using Remote Desktop Services, to Windows, Mac, iOS, and Android devices. The preview does not let you install new applications, but you will soon be able to publish custom applications. Authentication is via Azure Active Directory.

Support for iOS and Android shows that Microsoft is following through on its "any device" strategy, though Windows Phone is not yet included.

Microsoft now offers Windows 7 and Windows 8 VMs on Azure, but only to MSDN (Microsoft Developer Network) subscribers, limiting their use to test and development. Microsoft's licensing FAQ states, "Multitenant hosting is restricted in the Product Use Rights of Windows Client, such as Windows 7 or Windows 8. Windows Client Desktops are not available on either Azure or on any other Service Provider such as Amazon or Rackspace."

Amazon Workspaces, a cloud-hosted Windows VDI offering, actually runs Windows Server 2008 configured to look like Windows 7. It's an annoying restriction, but at least developers now have a workaround, giving them a quick way to test applications running on the Windows desktop OS.